Transaction verification through enhanced authentication

ABSTRACT

Methods, systems, and computer program products for providing transaction verification through enhanced authentication are provided. A method performed by a computer system may include receiving one or more credentials to authenticate an application programming interface request received from a second computer system based on a first level of authentication, generating an additional authentication challenge to further authenticate the application programming interface request in response to detecting a change associated with the second computer system, issuing the additional authentication challenge to the second computer system, and processing the application programming interface request based on a result of the additional authentication challenge. 
     In some examples, the additional authentication challenge may be encrypted using a key associated with the second computer system before issuance the additional authentication challenge. For example, the key may be a public key corresponding to a private key stored in a highly secure area on the second computer system.

TECHNICAL FIELD

The present invention generally relates to computer system security and, more particularly, to verification of computer-initiated transactional requests using enhanced authentication.

BACKGROUND

An application programming interface (API) generally refers to a set of one or more functions, procedures, components, and services provided by a software library or a computer system. Web APIs allow clients to consume API services offered by another computer system over the internet. However, web APIs can be vulnerable to various types of cyber-attacks.

For example, a takeover of a client computer system can provide an attacker with credentials and unlimited access to web APIs accessible from a compromised client. In addition, a man-in-the-middle attacker may intercept and use web API authentication credentials to access private information, credit card accounts, bank accounts, or other secure data by impersonating a client.

Highly restrictive security measures may offer increased web API security. However, such measures can disrupt the flow of legitimate traffic and transactions. Accordingly, improved methods of authentication can provide better protection against takeover, man-in-the-middle, and other types of cyber-attacks while flexibly accepting routine changes occurring on a computer system or network without disrupting legitimate activity.

BRIEF DESCRIPTION OF THE DRAWINGS

Various examples of the present disclosure will be understood more fully from the detailed description given below and from the accompanying drawings of various examples of the disclosure. In the drawings, like reference numbers may indicate identical or functionally similar elements. The drawing in which an element first appears is generally indicated by the left-most digit in the corresponding reference number.

FIG. 1 is a block diagram illustrating a system architecture, in accordance with various examples of the present disclosure.

FIG. 2 is a flow diagram illustrating transaction verification using enhanced authentication, according to an example of the present disclosure.

FIG. 3 is a flow diagram illustrating transaction verification using enhanced authentication with encryption, according to an example of the present disclosure.

FIG. 4 is a block diagram of an exemplary computer system that may perform one or more of the operations described herein.

DETAILED DESCRIPTION

Systems, methods, and computer program products for verifying transactions using enhanced authentication are disclosed.

In an example, a client computer system seeks to use an application programming interface (API) provided by a server computer system. The server receives a key from the client for encrypting one or more additional authentication challenges to be issued to the client beyond a first level of authentication.

In an example, a client may provide the key to the server at a time of initial account registration and setup, at a subsequent time as part of an account or registration update, when the account associated with the client exceeds a transaction volume threshold, when the account or sales of the account associated with the client exceeds a monetary value threshold, when it is determined that data handled by the account associated with the client is classified as sensitive, based on a request from the server, or at any other time or based on any other criteria.

In an example, the client sends a request to use a server-provided API. The client also provides one or more authentication credentials to allow the server to authenticate the client's API request based on a first level of authentication.

In an example, the server authenticates the API request, analyzes information associated with the client (e.g., identity, location, behavior, etc.), and detects that one or more attributes of the client have changed. In response, the server generates an additional authentication challenge to further authenticate the API request received from the client. In one example, the server encrypts the additional authentication challenge using the key received from the client and sends the encrypted additional authentication challenge to the client.

In an example, the client receives the encrypted additional authentication challenge. In one example, the key for decrypting the encrypted additional authentication challenge is stored in a highly secure area owned by an administrator or other privileged account of the client computer system. The client escalates the encrypted additional authentication challenge to the privileged account having access to the decryption key in the highly secure area. The privileged account then returns the decrypted additional authentication challenge for further processing.

In an example, the server receives a response to the encrypted additional authentication challenge from the client. The server then analyzes the response, determines whether a result of the additional authentication challenge was successful or unsuccessful, and processes the API request received from the client based on the result.

Accordingly, aspects of the present disclosure provide improved security of application programming interfaces (APIs) to protect against server takeovers and man-in-the middle attacks while allowing administrative and other legitimate changes to be made without incident.

FIG. 1 illustrates an exemplary system architecture 100 in which examples of the present disclosure may be implemented. System architecture 100 includes a server machine 110, a data store 180 and client machines 102A-102N connected to a network 104. Network 104 may be a public network (e.g., the Internet), a private network (e.g., a local area network (LAN) or wide area network (WAN)), or a combination thereof. In an example, network 104 may include the Internet and/or one or more intranets, wired networks, wireless networks, and/or other appropriate types of communication networks. In one example, the network 104 may comprise a wireless telecommunications network (e.g., cellular phone network) adapted to communicate with other communication networks, such as the Internet.

Data store 180 is persistent storage that is capable of storing various types of data, such as text, audio, video and image content. In some examples data store 180 might be a network-attached file server, while in other examples data store 180 might be some other type of persistent storage such as an object-oriented database, a relational database, and so forth.

Client machines 102A-102N may be personal computers (PC), laptops, mobile phones, tablet computers, server computers, wearable computing devices, or any other computing devices. Client machines 102A-102N may run an operating system (OS) that manages hardware and software of the client machines 102A-102N. A browser (not shown) may run on the client machines (e.g., on the OS of the client machines). The browser may be a web browser that can access content and services provided by a web server 120 of server machine 110. Other types of computer programs and computer scripts also may run on client machines 102A-102N.

Client machines 102A-102N each may include a web server 104A, 104N and a secure area 106A, 106N used to store keys 108A, 108N. Web servers 104A, 104N may include web and/or application servers configured to utilize one or more application programming interfaces (APIs) provided by server machine 110. An API generally refers to an interface provided for utilizing functionality of software components or other software-based services available from a computer system or software library.

APIs may include any software-based API, such as operating system APIs, programming language APIs, web-based APIs, web services (SOAP, REST, etc.), public APIs, private APIs, proprietary APIs, mobile APIs, transactional APIs, etc. In some examples, use of APIs provided by server machine 110 may be secured and/or tied to user accounts of clients 102A-102N. Thus, a client 102A may provide one or more authentication credentials (e.g., a user name and/or password) to server machine 110 to use an API exposed by server machine 110.

In an example, client machines 102A-102N use an API provided by server machine 110 to initiate and complete various types of transactions. For example, client machines 102A-102N may use one or more server machine 110 APIs to purchase goods, sell goods, transfer money, make payments, perform various financial transactions, etc. Client machines 102A-102N may be associated with the same organization or may include computer systems that are operated by different organizations. For example, client machines 102A-102N may be comprised of computer systems of unrelated organizations that each have contracted to utilize services provided from an API on server machine 110.

Clients 102A-102N each may include a corresponding secure area 106A-106N used to store a respective key 108A-108N and other secure data. A secure area 106A-106N generally refers to any area on a computer system that is separate and inaccessible to a web server, application server, computer program or process used to call server machine 110 APIs. For example, a secure area 106A may be a storage area owned by a root account, an administrative user, or another user. In some examples, data access to a secure area 106A requires privilege escalation or assistance from a user or account authorized to access the secure area 106A (e.g., root, administrator, etc.).

Keys 108A-108N generally refer to one or more pieces of information that determine the functional output of a cryptographic algorithm or cipher. For example, a key 108A may be used to encrypt and/or decrypt various types of data and may include symmetric keys, asymmetric keys, hash functions, or any other data that may be used to encrypt or decrypt data. A key 108A may be associated with one or more computer systems of a client 102A. In an example, a key 108A may be associated with a single client 102A computer system or associated with multiple clients 102A-102N.

Server machine 110 may be a rackmount server, a router computer, a personal computer, a portable digital assistant, a mobile phone, a laptop computer, a tablet computer, a camera, a video camera, a netbook, a desktop computer, a media center, or any combination thereof. Server machine 110 may include a web server 120 and a transaction authentication system 130. In some examples, web server 120 and transaction authentication system 130 may run on one or more different machines.

Web server 120 may provide text, audio, and video images from data store 180 to clients 102A-102N. Web server 120 also may provide web-based application services and business logic to clients 102A-102N. Clients 102A-102N may locate, access and consume various forms of content and services from web server 120 using applications, such as a web browser, web servers, application servers, computer programs, etc. Web server 120 also may receive text, audio, video and image content from clients 102A-102N that is saved in data store 180 for purposes that may include preservation and distribution of content. Further, web server 120 may receive API requests from various clients 102A-102N.

In an example, web server 120 is coupled to one or more applications servers (not shown) that provide applications, services, and transactional APIs to clients 102A-102N. For example, web server 120 may provide clients 102A-102N with access to one or more application services, which include but are not limited to banking, electronic commerce, e-mail, social networking, etc. Such functionality also may be provided, for example, as one or more different web applications, standalone applications, systems, plugins, web browser extensions, and application programming interfaces (APIs). In some examples, plugins and extensions may be referred to, individually or collectively, as add-ons.

In an example, some clients 102A-102N may include applications associated with a service provided by server 110. In one example, one or more device types (e.g., smart phones, smart televisions, tablet computers, etc.) may use applications to access content provided by server 110, to issue commands to server 110, and/or to receive content from server 110 without visiting or using web pages.

In an example, functions performed by server 110 and/or web server 120 also may be performed by the client machines 102A-102N, in whole or in part. In addition, the functionality attributed to a particular component may be performed by different or multiple components operating together. Server 110 also may be accessed as a service provided to other systems or devices via appropriate application programming interfaces, and thus is not limited to use with websites.

In an example, transaction authentication system 130 includes an API request receiver module 140, an API security manager module 150, and an API request processor module 160. In other examples, functionality associated with API request receiver module 140, API security manager module 150, and API request processor module 160 may be combined, divided and organized in various arrangements.

In an example, API request receiver module 140 receives API requests sent to server machine 110 by clients 102A-102N. For example, API request receiver module 140 may receive API requests sent from a client 102A to a web or application server running on server machine 110. API request receiver module 140 also may receive one or more API credentials from a client 102A, for example, to authenticate use of a secure API by the client.

In an example, API security manager module 150 receives keys for performing additional authentication of server machine 110 API requests. For example, API security manager module 150 may receive a respective key from each of one or more clients 102A-102N. In one example, API security manager module 150 receives a key from a client 102A, associates the received key with the client 102A, and stores the received key for encrypting one or more additional authentication challenges to be issued to the client 102A.

In an example, a client 102A provides an encryption key to server machine 110 at a time of initial account registration and setup, at a subsequent time as part of an account or registration update, when the account associated with the client 102A exceeds a transaction volume threshold, when the account or sales of the account associated with the client 102A exceeds a monetary value threshold, when it is determined that data handled by the account associated with the client 102A is classified as sensitive, based on a request from the server, or at any other time or based on any other criteria.

In an example, API security manager module 150 associates a client-provided key with a specific client 102A or multiple clients 102A-102N during a registration process where one or more clients 102A-102N are configured to access a secure API provided by server machine 110. In one example, API security manager module 150 identifies and stores information about one or more clients 102A-102N associated with a client-provided key. For example, API security manager module 150 may collect identifying information about each of one or more clients 102A-102N (e.g., machine name, IP address, MAC address, domain, network information, network paths, etc.). Such information may include attributes unique to a client 102A and other general information known about the client (e.g., typical transaction periods, frequency, amounts, etc.). API security manager module 150 may store such information for each of one or more clients 102A-102N in corresponding client profiles.

In an example, API security manager 150 compares identifying information known about a client 102A to new corresponding information gathered, collected or received from a client 102A at another time. For example, API security manager module 150 may compare identifying information known about a client 102A to information associated with or gathered at the time an API interface request is received from the client 102A.

In an example, API security manager module 150 detects a change associated with the client 102A based on one or more of identification information associated with a client 102A, network information associated with a client 102A, usage of a server machine 110 API by a client 102A, transactional attributes of an API request received from a client 102A, etc. For example, API security manager module 150 may generate one or more additional authentication challenges to issue to a client 102A in response to detecting one or more changes associated with identity and/or behavior of the client 102A.

Additional authentication challenges generally refer to a second or extra level of authentication performed by API security manager module 150 to further authenticate a client 102A beyond first-level authentication. In some examples, API security manager module 150 may generate and issue one or more additional authentication challenges to a client 102A randomly, in view of a detected change associated with a client 102A, based on a client 102A request (e.g., during client 102A registration or testing), when a client 102A exhibits suspicious behavior deviating from an observed pattern of past client 102A behavior, in addition to first-level authentication to further authenticate a server machine 110 API request received from a client 102A, etc. In some examples, a first-level authentication challenge may ask a client 102A to provide one or more credentials, such as a username, password, PIN, passphrase, etc.

In an example, an additional authentication challenge may request that a client 102A solve one or more mathematical calculations, answer one or more questions, or perform one or more tasks. In one example, API security manager module 150 issues an additional authentication challenge to a client 102A requesting that the client 102A perform the task of obtaining a resource (e.g., a file) from a particular computer system or network location.

In an example, API security manager module 150 issues an additional authentication challenge involving one or more mathematical problems. For example, API security manager module 150 may ask a client 102A to solve a mathematical problem that is numeric, an equation, a puzzle, or a mathematical problem described in words. In one example, API security manager module 150 asks a client 102A to provide a plurality of answers for a mathematical problem having at least two correct answers (e.g., correct positive and negative answers, etc.).

In an example, API security manager module 150 encrypts an additional authentication challenge generated for a client 102A with a key that has been associated with the client 102A. In one example, API security manager module 150 encrypts an additional authentication challenge with a client 102A associated key prior to issuing the additional authentication challenge to the client 102A. For example, API security manager module 150 may encrypt the additional authentication challenge using a key previously received from the client 102A during a registration process to utilize a server machine 110 API.

In an example, a client 102A provided key received by API security manager module 150 may be used to perform one of symmetric or asymmetric encryption/decryption between server machine 110 and a client 102A. In one example, a key 108A provided to API security manager module 150 by a client 102A may be used both to encrypt and decrypt an additional authentication challenge. In another example, a client may provide a key to API security manager module 150 for encrypting an additional authentication challenge that the client 102A later decrypts using a corresponding, but different key 108A. For example, client 102A may provide API security manager module 150 with a public key for encrypting data that client 102A decrypts using a private key 108A stored in a highly secure area 106A owned by an administrative user account.

In an example, API security manager module 150 issues an additional authentication challenge to a client 102A and waits for a response. In one example, a client 102A receives an encrypted additional authentication challenge issued from API security manager module 150. For example, a web server 104A, application server, or other computer program running on client 102A may receive an encrypted additional authentication challenge from API security manager module 150. The web server 104A, application server, or other computer program running on client 102A then may escalate the encrypted additional authentication challenge to a privileged user account or process having access to a secure area 106A holding a key 108A for decrypting the encrypted additional authentication challenge. The elevated user or process then may decrypt the additional authentication challenge and return the result to the calling web server 104A, application server, or other computer program of client 102A. Client 102A then may process the additional authentication challenge and return a corresponding response to API security manager module 150 for evaluation.

In an example, API security manager module 150 waits for a period of time after issuing an additional authentication challenge to allow a client 102A to receive, process, and respond to the additional authentication challenge. In one example, API security manager module 150 allows a client 102A to respond to an issued additional authentication challenge before a timeout occurs based on a threshold. Further, when API security manager module 150 does not receive a response from a client 102A before a timeout occurs, then a new additional authentication challenge may be issued, an issued additional authentication challenge may be reissued, or the issued authentication challenge may be deemed unsuccessful without further attempt.

In an example, API security manager module 150 receives a response to an issued additional authentication challenge from client 102A, analyzes the response to the additional authentication challenge received from the client 102A, and determines whether the response to the additional authentication challenge is correct or acceptable. In one example, API security manager module 150 then provides a result of the additional authentication challenge to API request processor module 160 based on the determination. For example, API security manager module 150 may indicate whether the additional authentication challenge issued to a client 102A was successful or unsuccessful.

In an example, API request processor module 160 performs one or more activities based on a result of the additional authentication challenge. For example, API request processor module 160 may execute a server machine 110 API request received from a client 102A based on a successful result of an additional authentication challenge. API request processor module 160 also may deny a server machine 110 API request from a client 102A when an incorrect response is received or no response is provided for an additional authentication challenge.

In an example, API request processor module 160 blocks one or more pending or subsequent server machine 110 API requests from a client 102A associated with an unsuccessful additional authentication challenge. API request processor module 160 also may block one or more pending or subsequent server machine 110 API requests from clients 102A-102N related to another client associated with an unsuccessful additional authentication challenge. For example, multiple clients 102A-102N associated with a user account or associated with a party that contracted to use a server machine 110 API may be blocked under such circumstances.

In an example, API request processor module 160 sends a notification to a user associated with a client 102A account, a server 110 account, or a contracted party when an unsuccessful additional authentication challenge occurs and/or a security adjustment is made in response to an unsuccessful additional authentication challenge. For example, API request processor module 160 may notify an account holder by sending an e-mail, initiating a call, sending a text message, etc. In some examples, API request processor module 160 adjusts a risk model associated with one or more clients 102A-102N or accounts based on results of additional authentication challenges.

FIG. 2 is a flow diagram illustrating transaction verification using enhanced authentication, according to an example of the present disclosure. The method 200 may be performed by processing logic that may comprise hardware (circuitry, dedicated logic, programmable logic, microcode, etc.), software (such as instructions run on a general purpose computer system, dedicated machine, or processing device), firmware, or a combination thereof.

Method 200 begins at block 202 when an API request receiver module 140 of a transaction authentication system 130 receives one or more credentials to authenticate an application programming interface (API) request received from a second computer system based on a first level of authentication. In an example, API request receiver module 140 receives one or more credentials to authenticate a server machine 110 API request from a client 102A. For example, a client may be prompted or use an available API to provide one or more of a username, password, PIN, passphrase, etc. to satisfy a first-level of authentication associated with a server machine API. In one example, API request receiver module 140 receives client 102A credentials with an API request from the client 102A. Such credentials may be provided by a client 102A, for example, once at the beginning of a session, one or more times throughout a session, or generally any number of times.

At block 204, an API security manager module 150 of a transaction authentication system 130 issues an additional authentication challenge to the second computer system to further authenticate the application programming interface request. In an example, API security manager module 150 generates an additional authentication challenge to further authenticate a server machine 110 API request from a client 102A beyond a standard first-level of authentication. For example, API security manager module 150 may generate an additional authentication challenge that is issued to a client 102A requesting access to or use of a server machine 110 API.

In an example, API security manager module 150 generates and issues an additional authentication challenge to a client 102A in response to detecting a change associated with the client 102A. For example, API security manager module 150 may detect an identity change, a network change, a behavioral change, suspicious transactional behavior, or another change associated with a client 102A. In response, API security manager module 150 may generate and issue one or more additional authentication challenges to the respective client 102A associated with the detected change.

In an example, API security manager module 150 receives a response to an additional authentication challenge from a client 102A. API security manager module 150 then analyzes the response to the additional authentication challenge to determine whether the response is correct or incorrect. In some examples, a client 102A provides an encrypted response to the additional authentication challenge, for example using SSL, to preserve data privacy and to protect the data from unauthorized interception. In one example, API security manager module 150 provides a result of the additional authentication challenge to API request processor module 160 based on the determination. For example, the result provided by API security manager module 150 may indicate whether the additional authentication challenge was successful or unsuccessful.

At block 206, an API request processor module 160 of a transaction authentication system 130 processes the application programming interface request received based on a result of the additional authentication challenge. In an example, API request processor module 160 of a server machine 110 API executes a request received from a client 102A based on a successful additional authentication challenge result. In an example, API request processor module 160 denies a server machine 110 API request from a client 102A based on an unsuccessful additional authentication challenge result.

In an example, API request processor module 160 blocks one or more pending and/or subsequent server machine 110 API requests from a client 102A based on an unsuccessful additional authentication challenge result. In one example, API request processor module 160 blocks one or more pending and/or subsequent server machine 110 API requests from a group of clients 102A-102N associated with one or more unsuccessful additional authentication challenges. For example, a group of two or more clients 102A-102N associated with an account or party that contracted to use a server machine 110 API may be blocked in response to an unsuccessful authentication challenge result for one client 102A.

In an example, API request processor module 160 notifies one or more of a user, a client account holder, or a server machine 110 API owner in response to one or more unsuccessful additional authentication challenges (e.g., a single unsuccessful result, a number of consecutive unsuccessful results, a proportion of unsuccessful results in a sampling of results that exceeds a predefined threshold, etc.). For example, API request processor module 160 may send an e-mail, initiate a call, send a text message, etc. API request processor module 160 also may adjust a risk model associated with one or more clients 102A-102N based on a result of an additional authentication challenge. For example, a client 102A trust level may increase in response to a successful result and may decrease in response to an unsuccessful result.

FIG. 3 is a flow diagram illustrating transaction verification using enhanced authentication with encryption, according to an example of the present disclosure. The method 300 may be performed by processing logic that may comprise hardware (circuitry, dedicated logic, programmable logic, microcode, etc.), software (such as instructions run on a general purpose computer system, dedicated machine, or processing device), firmware, or a combination thereof.

Method 300 begins at block 302 when an API security manager module 150 of a transaction authentication system 130 receives a key for encrypting one or more additional authentication challenges to be issued to a second computer system. In an example, API security manager module 150 receives a key for encrypting additional authentication challenges to be issued to a client 102A. For example, API security manager 150 may receive the key from client 102A as part of a registration process where client 102A is configured to access server machine 110 APIs. In one example, API security manager 150 receives a public key from a PGP key pair for encrypting additional authentication challenges to be issued to client 102A. The public key corresponds to a private key 108A stored in a secure area 106A of the client 102A and is used for decrypting additional authentication challenges by a privileged client 102A account having access to the secure area 106A.

At block 304, an API request receiver module 140 of a transaction authentication system 130 receives an application programming interface request from the second computer system. In an example, API request receiver module 140 receives a server machine 110 API request from a client 102A. For example, a client 102A may send an API request to server machine 110 to call an API providing banking, electronic commerce, e-mail, social networking, or another service.

At block 306, The API request receiver module 140 receives one or more credentials to authenticate the application programming interface request based on a first level of authentication. In an example, API request receiver module 140 receives one or more first-level authentication credentials from a client 102A seeking to access a server machine 110 API. First-level authentication credentials may include any combination of a username, password, PIN, passphrase, etc. In one example, API request receiver module 140 receives one or more first-level authentication credentials with an API request. In another example, API request receiver module 140 receives first-level authentication credentials in a client 102A communication separately from an API request.

At block 308, API security manager module 150 detects a change associated with the second computer system. In an example, API security manager module 150 collects and stores information about one or more clients 102A-102N. For example, API security manager module 150 may gather identifying or other information about each of one or more clients 102A-102N (e.g., machine name, IP address, MAC address, domain, network information, network paths, etc.). Such information may include attributes unique to a client 102A and other general information known about a client 102A (e.g., typical transaction periods, frequency, amounts, etc.). In one example, API security manager module 150 stores such information for each of one or more clients 102A-102N in respective client profiles.

In an example, API security manager 150 compares information known about a client 102A to new corresponding information gathered, collected or received from the client 102A at another time. For example, API security manager module 150 may compare identifying information known about a client 102A to information associated with an API interface request received from the client 102A. In one example, API security manager module 150 detects a change associated with the client 102A based on one or more of client 102A identification information, client 102A network information, usual client 102A behavior, transactional attributes of an API request, frequency of client 102A API requests, etc.

At block 310, API security manager module 150 generates an additional authentication challenge to further authenticate the application programming interface request. In an example, API security manager module 150 generates an additional authentication challenge in response to detecting one or more changes associated with the identity or behavior of a client 102A.

In an example, an additional authentication challenge generated by API security manager module 150 may include one or more mathematical calculations, one or more fact-based, predetermined or secret questions, or one or more tasks. In one example, API security manager module 150 generates an additional authentication asking a client 102A to perform a task of obtaining a resource (e.g., a file, data) from a location.

At block 312, API security manager module 150 issues the additional authentication challenge to the second computer system. In an example, API security manager module 150 issues an additional authentication challenge to a client 102A to further authenticate the identity of the client 102A beyond first-level authentication. For example, API security manager module 150 may issue the additional authentication challenge to a client 102A in response to detecting a change associated with the client 102A. In some examples, API security manager module 150 identifies an identity change, a network change, a behavioral change, suspicious transactional attributes or behavior, or other observed difference associated with a client 102A.

In an example, API security manager module 150 later receives a response to the additional authentication challenge from a client 102A and analyzes the response to determine a result. API security manager module 150 then may provide a result of the additional authentication challenge to API request processor module 160 based on the determination. For example, the result provided by API security manager module 150 may indicate whether a client 102A provided a correct or an incorrect response to the additional authentication challenge.

At block 314 an API request processor module 160 processes the application programming interface request based on a result of the additional authentication challenge. In an API request processor module 160 of a transaction authentication system 130 processes an API request received from a client 102A based on a result of an additional authentication challenge. In an example, API request processor module 160 of a server machine 110 API executes a server machine 110 API request based on a successful result. In another example, API request processor module 160 denies a server machine 110 API request based on an unsuccessful result.

In an example, API request processor module 160 notifies one or more users, account holders, or other parties when an additional authentication challenge is unsuccessful. For example, API request processor module 160 may provide notification by sending an e-mail, initiating a call, sending a text message, etc. In one example, API request processor module 160 adjusts a risk model associated with one or more clients 102A-102N based on a result of an additional authentication challenge. For example, a client 102A trust level may increase in response to a successful result and may decrease in response to an unsuccessful result.

FIG. 4 illustrates a diagram of a machine in the exemplary form of a computer system 400 within which a set of instructions, for causing the machine to perform any one or more of the methodologies discussed herein, may be executed. In other examples, the machine may be connected (e.g., networked) to other machines in a LAN, an intranet, an extranet, or the Internet. The machine may operate in the capacity of a server or a client machine in client-server network environment, or as a peer machine in a peer-to-peer (or distributed) network environment. The machine may be a personal computer (PC), a tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, switch or bridge, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while only a single machine is illustrated, the term “machine” shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.

The exemplary computer system 400 includes a processing device (processor) 402, a main memory 404 (e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM) such as synchronous DRAM (SDRAM), double data rate (DDR SDRAM), or DRAM (RDRAM), etc.), a static memory 406 (e.g., flash memory, static random access memory (SRAM), etc.), and a data storage device 418, which communicate with each other via a bus 430.

Processor 402 represents one or more general-purpose processing devices such as a microprocessor, central processing unit, or the like. More particularly, the processor 402 may be a complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, or a processor implementing other instruction sets or processors implementing a combination of instruction sets. The processor 402 may also be one or more special-purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. The processor 402 is configured to execute instructions 422 for performing the operations and steps discussed herein.

The computer system 400 may further include a network interface device 408. The computer system 400 also may include a video display unit 410 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)), an alphanumeric input device 412 (e.g., a keyboard), a cursor control device 414 (e.g., a mouse), and a signal generation device 416 (e.g., a speaker).

The data storage device 418 may include a computer-readable storage medium 428 on which is stored one or more sets of instructions 422 (e.g., software) embodying any one or more of the methodologies or functions described herein. The instructions 422 may also reside, completely or at least partially, within the main memory 404 and/or within the processor 402 during execution thereof by the computer system 400, the main memory 404 and the processor 402 also constituting computer-readable storage media. The instructions 422 may further be transmitted or received over a network 420 via the network interface device 408.

In one example, the instructions 422 include instructions for one or more modules of a transaction authentication system (e.g., transaction authentication system 130 of FIG. 1) and/or a software library containing methods that call a transaction authentication system 130. While the computer-readable storage medium 428 (machine-readable storage medium) is shown in an example to be a single medium, the term “computer-readable storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions. The term “computer-readable storage medium” shall also be taken to include any medium that is capable of storing, encoding or carrying a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present disclosure. The term “computer-readable storage medium” shall accordingly be taken to include, but not be limited to, solid-state memories, optical media, and magnetic media.

In the foregoing description, numerous details are set forth. It will be apparent, however, to one of ordinary skill in the art having the benefit of this disclosure, that the present disclosure may be practiced without these specific details. In some instances, well-known structures and devices are shown in block diagram form, rather than in detail, in order to avoid obscuring the present disclosure.

Some portions of the detailed description have been presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. An algorithm is here, and generally, conceived to be a self-consistent sequence of steps leading to a desired result. The steps are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. It has proven convenient at times, for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like.

It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the following discussion, it is appreciated that throughout the description, discussions utilizing terms such as “computing”, “comparing”, “applying”, “transmitting”, “receiving,” “processing,” or the like, refer to the actions and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (e.g., electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage, transmission or display devices.

Certain examples of the present disclosure also relate to an apparatus for performing the operations herein. This apparatus may be constructed for the intended purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer readable storage medium, such as, but not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions.

It is to be understood that the above description is intended to be illustrative, and not restrictive. Many other examples will be apparent to those of skill in the art upon reading and understanding the above description. The scope of the disclosure should, therefore, be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled. 

What is claimed is:
 1. A computer system, comprising: a non-transitory memory storing instructions; and one or more hardware processors coupled to the non-transitory memory and configured to read the instructions from the non-transitory memory to cause the system to perform operations comprising: receiving, by a computer system providing access to an application programming interface, a public key provided by a user for encrypting an additional authentication challenge, the public key being provided by the user in advance of a request to use the application programming interface from a client device claiming to be associated with the user; receiving, by the computer system, one or more credentials to authenticate the application programming interface request from the client device based on a first level of authentication; encrypting, by the computer system, the additional authentication challenge that is to be issued to the client device requesting access to the application programming interface using the public key provided in advance by the user; issuing the encrypted additional authentication challenge to the client device to further authenticate the application programming interface request based on detecting that information known about the user differs from information associated with the client device; processing the application programming interface request based on a result of issuing the encrypted additional authentication challenge to the client device; and detecting, by the computer system, abnormal use of the application programming interface associated with the client device based on a deviation from baseline usage of the application programming interface.
 2. The computer system of claim 1, wherein the operations further comprise: receiving, by the computer system, the application programming interface request from the client device.
 3. The computer system of claim 1, wherein the operations further comprise: detecting, by the computer system, a difference between information known about the user and information associated with the client device.
 4. The computer system of claim 1, wherein the operations further comprise: detecting, by the computer system, an identity attribute change for the user based on information associated with the client device.
 5. The computer system of claim 1, wherein the operations further comprise: detecting, by the computer system, a network attribute change for the user based on information associated with the client device.
 6. The computer system of claim 1, wherein the abnormal use is detected based on a deviation from an observed baseline pattern of application programming interface activity associated with the user.
 7. The computer system of claim 1, wherein the operations further comprise: generating, by the computer system, the additional authentication challenge to further authenticate the application programming interface request in response to detecting that information known about the user differs from information associated with the client device.
 8. The computer system of claim 1, wherein the operations further comprise: associating, by the computer system, the public key for encrypting the additional authentication challenge with an account associated with the user.
 9. The computer system of claim 1, wherein the public key received by the computer system corresponds to a private key stored in a secure area on the client device.
 10. The computer system of claim 1, wherein the operations further comprise: permitting, by the computer system, the application programming interface request when a correct response to the additional authentication challenge is received from the client device.
 11. The computer system of claim 1, wherein the operations further comprise: denying, by the computer system, the application programming interface request when an incorrect response to the additional authentication challenge is received from the client device.
 12. The computer system of claim 1, wherein the operations further comprise: denying, by the computer system, the application programming interface request when a period of time expires before receiving a response to the additional authentication challenge.
 13. The computer system of claim 1, wherein the operations further comprise: blocking, by the computer system, one or more subsequent application programming interface requests from the client device based on failure of the client device to provide an acceptable response to the additional authentication challenge.
 14. The computer system of claim 1, wherein the user provides the public key for encrypting the additional authentication challenge to prevent an unauthorized party having access to the credentials from using the application programming interface.
 15. The computer system of claim 1, wherein the user provides the public key from a secure location associated with a privileged account of the user.
 16. The computer system of claim 1, wherein the public key is associated with a corresponding private key for decryption, the private key being stored in a secure area accessible to a privileged account associated with the user.
 17. A computer-implemented method, comprising: receiving, by one or more processor devices, a public key from a user for encrypting an additional authentication challenge, the public key being provided by the user in advance of a request to use a web-based application programming interface from a client device claiming to be associated with the user; receiving, by the processor devices, one or more credentials to authenticate the web-based application programming interface request from the client device based on a first level of authentication; encrypting, by the processor devices, the additional authentication challenge to further authenticate the web-based application programming interface request using the public key provided in advance by the user; issuing, by the processor devices, the encrypted additional authentication challenge to the client device based on detecting that information known about the user differs from information associated with the client device; processing, by the processor devices, the web-based application programming interface request based on a result of issuing the encrypted additional authentication challenge to the client device; and detecting, by the processor devices, abnormal use of the application programming interface associated with the client device based on a deviation from baseline usage of the application programming interface.
 18. The computer-implemented method of claim 17, further comprising: receiving, by the processor devices, the web-based application programming interface request from the client device.
 19. The computer-implemented method of claim 17, further comprising: detecting, by the processor devices, a difference between information known about the user and information associated with the client device.
 20. The computer-implemented method of claim 17, further comprising: detecting, by the processor devices, an identity attribute change for the user based on information associated with the client device.
 21. The computer-implemented method of claim 17, further comprising: detecting, by the processor devices, a network attribute change for the user based on information associated with the client device.
 22. The computer-implemented method of claim 17, wherein the abnormal use is detected based on a deviation from an observed baseline pattern of application programming interface activity associated with the user.
 23. The computer-implemented method of claim 17, further comprising: generating, by the processor devices, the additional authentication challenge to further authenticate the web-based application programming interface request in response to detecting that information known about the user differs from information associated with the client device.
 24. The computer-implemented method of claim 17, further comprising: associating, by the processor devices, the public key for encrypting the additional authentication challenge with an account associated with the user.
 25. The computer-implemented method of claim 17, wherein the public key received by the computer system corresponds to a private key stored in a secure area on the client device.
 26. The computer-implemented method of claim 17, further comprising: permitting, by the processor devices, the web-based application programming interface request when a correct response to the additional authentication challenge is received from the client device.
 27. The computer-implemented method of claim 17, further comprising: denying, by the processor devices, the web-based application programming interface request when an incorrect response to the additional authentication challenge is received from the client device.
 28. The computer-implemented method of claim 17, further comprising: denying, by the processor devices, the web-based application programming interface request when a period of time expires before receiving a response to the additional authentication challenge.
 29. The computer-implemented method of claim 17, further comprising: blocking, by the processor devices, one or more subsequent application programming interface requests from the client device based on failure of the client device to provide an acceptable response to the additional authentication challenge.
 30. The computer-implemented method of claim 17, wherein the user provides the public key for encrypting the additional authentication challenge to prevent an unauthorized party having access to the credentials from using the web-based application programming interface.
 31. The computer-implemented method of claim 17, wherein the user provides the public key from a secure location associated with a privileged account of the user.
 32. The computer-implemented method of claim 17, wherein the public key is associated with a corresponding private key for decryption, the private key being stored in a secure area accessible to a privileged account associated with the user.
 33. A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising: receiving a request to use an application programming interface from a client device claiming to be associated with a registered user of the application programming interface; generating the additional authentication challenge to further authenticate the request to use the application programming interface based on detecting that information known about the user differs from information associated with the client device; encrypting the additional authentication challenge using the public key provided by the user; processing the application programming interface request based on a result of issuing the encrypted additional authentication challenge to the client device; and detecting abnormal use of the application programming interface associated with the client device based on a deviation from baseline usage of the application programming interface.
 34. The non-transitory machine-readable medium of claim 33, further comprising: receiving the application programming interface request from the client device.
 35. The non-transitory machine-readable medium of claim 33, further comprising: detecting a difference between information known about the user and information associated with the client device.
 36. The non-transitory machine-readable medium of claim 33, further comprising: detecting an identity attribute change for the user based on information associated with the client device.
 37. The non-transitory machine-readable medium of claim 33, further comprising: detecting a network attribute change for the user based on information associated with the client device.
 38. The non-transitory machine-readable medium of claim 33, wherein the abnormal use is detected based on a deviation from an observed baseline pattern of application programming interface activity associated with the user.
 39. The non-transitory machine-readable medium of claim 33, further comprising: generating the additional authentication challenge to further authenticate the application programming interface request in response to detecting that information known about the user differs from information associated with the client device.
 40. The non-transitory machine-readable medium of claim 33, further comprising: associating the public key for encrypting the additional authentication challenge with an account associated with the user.
 41. The non-transitory machine-readable medium of claim 33, wherein the public key received by the computer system corresponds to a private key stored in a secure area on the client device.
 42. The non-transitory machine-readable medium of claim 33, further comprising: permitting the application programming interface request when a correct response to the additional authentication challenge is received from the client device.
 43. The non-transitory machine-readable medium of claim 33, further comprising: denying the application programming interface request when an incorrect response to the additional authentication challenge is received from the client device.
 44. The non-transitory machine-readable medium of claim 33, further comprising: denying the application programming interface request when a period of time expires before receiving a response to the additional authentication challenge.
 45. The non-transitory machine-readable medium of claim 33, further comprising: blocking one or more subsequent application programming interface requests from the client device based on failure of the client device to provide an acceptable response to the additional authentication challenge.
 46. The non-transitory machine-readable medium of claim 33, wherein the user provides the public key for encrypting the additional authentication challenge to prevent an unauthorized party having access to the credentials from using the application programming interface.
 47. The non-transitory machine-readable medium of claim 33, wherein the user provides the public key from a secure location associated with a privileged account of the user.
 48. The non-transitory machine-readable medium of claim 33, wherein the public key is associated with a corresponding private key for decryption, the private key being stored in a secure area accessible to a privileged account associated with the user. 